CVE-2024-3591

MEDIUM

Geo Controller WP <8.6.5 - Code Injection

Title source: llm

Description

The Geo Controller WordPress plugin before 8.6.5 unserializes user input via some of its AJAX actions and REST API routes, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog.

References (1)

[Exploit, Third Party Advisory] https://wpscan.com/vulnerability/f85d8b61-eaeb-433c-b857-06ee4db5c7d5/

Scores

CVSS v3 6.5

EPSS 0.0041

EPSS Percentile 61.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Classification

CWE

CWE-502

Status published

Affected Products (1)

infinitumform/geo_controller < 8.6.5

Timeline

Published May 01, 2024

Tracked Since Feb 18, 2026